Sane Password Policies for Businesses
Most companies have password policies. It is a requirement in today’s world. They want to keep their systems and data safe and secure, and authentication through passwords brings accountability to their systems.
In reality, password policies in most businesses encourage behavior, such as sharing passwords or using unsafe passwords, that undermine what the policies were created to accomplish. Without knowing that only Joe can log in as “joe”, there is no accountability or security.
I have created a set of policies that are sane and encourage good behavior. In short, policies that are effective.
Many of these policies run counter to common-knowledge best practices. If you are in a regulated field such as government or healthcare, you may not be able to implement these policies due to current laws or requirements of credit card companies. I encourage you to think critically about your policies and implement my suggestions where appropriate.
Password policies for users
Do not require frequent password changes
Frequent password changes encourage bad behavior; for example, writing passwords down somewhere unsafe. A post-it note is the most common example.
Do not enforce password reuse policies
If an administrator has to change someone’s password in order to log in as them, the user will not be able to change it back. This leads to the same bad behavior as if he required the user to change their password too frequently.
Do not require multiple passwords
This minimizes the risk that users will resort to post-its or insecure passwords. Use Single Sign-On technologies to keep the number of log-ins to a minimum. The purpose of passwords is user authentication, and users are already authenticated with the network when they log into their workstation.
Do forbid sharing of passwords or accounts
Accountability requires a one-to-one relationship between people and accounts.
Do require complex and long passwords
For passwords to be useful, they need to be secure and hard to crack. Long passwords make a bigger difference than complexity in cracking difficulty. This is even more important when you do not require your users to change passwords frequently.
Do provide help in selecting a strong, yet easy to remember password
Users are not equipped to think about passwords in a way that is effective. They need guidelines in how to select one that will not be a hardship when the policy is “16 characters and complex”. For this purpose, see my Password Best Practices post. You can download a PDF copy to distribute with a license that restricts alteration and requires attribution.
Password policies for administrators/help desk personnel
The same as above with the addition of:
Do not ever ask a user for their password
IT should set an example for users. If password sharing is forbidden, then asking users to violate that policy whenever it is convenient for IT teaches the wrong lesson. Use remote access tools to help your users. If you must log in as them and the user is unavailable, change the password rather than asking for it. With a sane password policy, it is rather trivial for users to change their passwords back.
Do use “user must change password on next login” flags
Most users will never change their password from “password.” Forcing them to change their passwords on next login will fix this vulnerability.
Do not use default passwords
Make sure that you authenticate users before giving them passwords; a default password will soon be known to everyone in the company. Authenticating users without passwords due to lost passwords, security lockouts, or IT password changes is just as important. I will cover this in a later post.
Password policies for service accounts/shared accounts
Try and minimize the use of shared accounts. Shared accounts limit accountability. If you think you need one, carefully think though the problem that needs to be solved. Sharing accounts indicates that there is an architectural problem.
Do require frequent password changes
Shared accounts and service accounts need frequent password changes, since every company has personnel turnover. A password change resets the number of people with knowledge of the current password. Any required change shorter than 90 days doesn’t make sense, six months to a year is more sane.
Do require different accounts for different purposes
The list of people who need access to a particular account will change over time in unpredictable ways. Separating accounts to particular uses ensures only the people who need access will have access.